Project

General

Profile

Actions
Copy link

Feature #2926

closed

TLS offloading with mod_sockproxy

Added by flynn over 5 years ago. Updated almost 3 years ago.

Status:
Fixed
Priority:
Low
Category:
mod_sockproxy
Target version:
1.4.x
ASK QUESTIONS IN Forums:
No

Description

Is it (easy) possible, to have SSL/TLS offloading with mod_sockproxy?

Configuring lighttpd as a reverse proxy with TLS offloading works perfect,
but if I replace the 

proxy.server = ...

line with 
sockproxy.server = ...

it does not decrypt the stream.

Actions
Copy link
 #1

Updated by gstrauss over 5 years ago

  • Status changed from New to Wontfix
  • Priority changed from Normal to Low

The forums or IRC are more appropriate "forums" for pie in the sky questions than is the issue tracker.

Is it (easy) possible, to have SSL/TLS offloading with mod_sockproxy?

Please don't ever ask if something is "easy" unless you're volunteering to do it and asking for guidance (in which case the developer forum is the place to do it)

As for possible, anything is possible, but that isn't what mod_sockproxy was designed to do (please read the doc), and there are no current plans to change what mod_sockproxy was designed to do.

Actions
Copy link
 #2

Updated by gstrauss almost 3 years ago

  • ASK QUESTIONS IN Forums set to No

Is it (easy) possible, to have SSL/TLS offloading with mod_sockproxy?

Update: someone posted on IRC #lighttpd (irc.libera.chat) that this works for them with mod_sockproxy and mod_openssl, so perhaps this now works with a more recent version of lighttpd (than when this question was originally posted (Jan 2019)).

Actions
Copy link
 #3

Updated by gstrauss almost 3 years ago

Separately, I would like to apologize for the previous rude response.

Actions
Copy link
 #4

Updated by flynn almost 3 years ago

I tried again and it works now for me too.
Maybe I missed to enable the ssl-engine inside the the $SERVER["socket"] section two years ago ...

An equivalent to $HTTP["host"] would be very usefull, to switch between with SNI by the client requested host names.

Actions
Copy link
 #5

Updated by gstrauss almost 3 years ago

  • Category set to TLS
  • Status changed from Wontfix to Fixed

See also feature request #3081

FYI: If your non-HTTP TLS client provides SNI, #3081 suggests that lighttpd might reject the connection due to ALPN mismatch with the HTTP-specific ALPNs offered by lighttpd.

(It should not be surprising that a server named "lighttpd" with an "httpd" suffix currently provides HTTP-specific ALPNs.)

Actions
Copy link
 #6

Updated by gstrauss almost 3 years ago

  • Category changed from TLS to mod_sockproxy
Actions
Copy link

Also available in: Atom